Credit Card Processing

Credit Card Processing at UNM 

This site describes the people, processes, and technology involved in UNM’s credit card compliance activities. UNM’s Controller, Information Technologies, and Information Security and Privacy Office (ISPO) have worked with UNM’s bank to develop standard card processing solutions and accompanying procedures to help ensure compliance with relevant PCI standards. 

This steps below describe the requirements for requesting new payment card processing, from initial approval to purchasing hardware and software are included in the document linked below: 

Request approval to process payment cards for your department or unit  

Please note that these requests require Senior VP of Finance or Provost approval.

The application linked above will initiate creation of a Merchant ID through UNM’s Merchant Bank, as well as the ordering of approved card swipe devices, or access to TouchNet, UNM’s approved eCommerce solution. 

Please note that Self-Assessment Questionnaires (SAQs) and Attestations of Compliance (AoCs) are required to be completed annually by the end of each July, by units that process credit cards, they are also required when technology or business processes are substantially changed (for example, when a major system upgrade occurs). Copies of these records must be stored in the units credit card compliance SharePoint site. Please ask your IT Officer for assistance, if you are unable to access the site.


What is PCI, PCI-SSC, and PCI-DSS?  

The Payment Card Industry (PCI) Security Standards Council(SSC) is the entity responsible for developing and maintaining security standards with which credit card processors like UNM must comply. The primary standard that applies to UNM is the PCI-Data Security Standard (PCI-DSS), although there are other standards that may also apply, depending upon the nature of the card processing activities. 

A payment card is any type of credit, debit or prepaid card used in a financial transaction. The PCI-DSS applies to all UNM entities (merchants) that collect, process, store, or transmit card holder card data.   

Frequently Asked Questions (FAQs) 

My Area Processes Credit Cards; Do We Have to Comply? 

Compliance with all applicable PCI Standards is mandatory for all University departments and units that accept payment cards at or on behalf of UNM. Any third-party vendor contracted by UNM to process payment card transactions on UNM’s behalf must also comply with all applicable PCI standards at all times. 

If you manage a UNM unit or department that processes payment cards, it is your responsibility to: 

  • Ensure that employees who process credit card transactions in areas for which you are responsible are trained on those procedures at least annually 
  • Complete and archive an annual Self-Assessment Questionnaire (SAQ) and/ or Attestation of Compliance (AoC) 
  • Obtain a current AoC from all third party payment card processing service providers 
  • Document that any cardswipe devices are certified for current use and that they are at the latest software versions 
  • Notify the Controller and the ISPO if you become aware of a potential information security incident or breach at https://ispo.unm.edu 

If you are an employee who processes credit cards on behalf of a UNM unit or department, it is your responsibility to: 

  • Complete UNM’s PCI training at least annually 
  • Review and understand how to comply with procedures for processing credit cards at least annually. 
  • Notify the Controller and the ISPO if you become aware of a potential information security incident or breach at https://ispo.unm.edu 

 

We are updating the links for documents on this page; please contact the UNM Controller if you need immediate assistance with credit card processing.